Chivalric Disorder as Knight and Dame Data Goes ErrantBritish Government Apologizes for New Year's Honors List Recipient Data Breach
Human error looks to be the obvious culprit in a data breach involving personal details for a who's who of British society.
See Also: Automating Security Operations
On Friday, Britain's Cabinet Office released a spreadsheet listing the recipients of the 2020 "New Year's Honors" list, which "recognizes the achievements and service of extraordinary people across the United Kingdom."
Unfortunately, the original version of the CSV-formatted spreadsheet, posted online Friday night, also listed the home addresses for many recipients, who include members of the police, prison service and military, including more than a dozen employees of the Ministry of Defense as well as senior counterterrorism officials.
"A version of the New Year Honors 2020 list was published in error which contained recipients’ addresses," a Cabinet Office spokeswoman tells Information Security Media Group. "The information was removed as soon as possible. We apologize to all those affected and are looking into how this happened."
The Cabinet Office says the spreadsheet containing recipients' non-redacted home addresses was online for about an hour before being removed. But copies of the spreadsheet were downloaded before it was removed, and emailed to journalists, among others.
"We have reported the matter to the ICO and are contacting all those affected directly," the Cabinet Office says, referring to the Information Commissioner's Office, which enforces the country's data protection laws.
The ICO says in a statement: "In response to reports of a data breach involving the Cabinet Office and the New Year's Honors list, the ICO will be making enquiries."
In total, the honor's list named 1,097 individuals, including musician Elton John, British-born musician and actor Olivia Newton-John, who will be made a dame, as well as film director Sam Mendes, novelist Rose Tremain, playwright and "Dangerous Liaisons" screenwriter Christopher Hampton, Alison Saunders, the former director of public prosecutions at the Crown Prosecution Service, and Steve McQueen, director of "12 Years A Slave," who will receive a knighthood for services to film.
Numerous honors recipients also hail from the technology industry, including Graham Wylie - co-founder of Sage, the UK’s largest software business - and Bill Thomas, who for 10 years chaired EDS UK, the country's largest IT services firm, and who now chairs security firm Spirent and serves on FireEye's advisory board, among other roles.
The honors list was drawn up under the premiership of Theresa May, who's since been succeeded by Boris Johnson as prime minister.
Unfortunately, it doesn't appear that the exposed data can be easily contained.
“This could be catastrophic,” says human rights lawyer Ravi Naik. “It is hard to put the information genie back in the bottle once it’s out. This quite sensitive data will spread like a virus and is extremely difficult to remedy."
Naik added: "There is also a security risk to Ministry of Defense staff and I hope the Cabinet Office will be taking steps to remedy that. But you can’t get everyone to move house.”
British government officials declined to discuss specific security advice they may have offered to individuals whose personal details were exposed.
Full Investigation Urged
While the cabinet office has yet to identify the root cause of the data breach, U.K.-based security expert Kevin Beaumont said one likely explanation was that someone tried to toggle an Excel column containing the home addresses to "hidden" before exporting the spreadsheet to CSV format, not realizing that hidden columns get included in any such export.
Speaking Sunday on the BBC Breakfast television show, Bob Kerslake, who headed Britain's civil service from 2012 to 2014, called for a full investigation to be immediately launched by Mark Sedwill, the British government's cabinet secretary and head of the civil service.
“Of course, it’s likely to be human error, as has been suggested, but we need to know how well staff were trained about the importance of maintaining security. Were they briefed on the potential consequences if this information was released?” Kerslake said.